LDAP role mapping using group attribute

yuliang_ · ‎03-11-2010

hi,

I'm trying to to role mapping based on ldap group atrribute.

here are my setting for user dn.

Base DN: dc=example,dc=com

Filter:uid=<user>

I've created a role map based on "user attribute" and i confirmed my username "test" with password "test" is able to login.

However, there are no OU field on my user entry. I need to create different roles for different group of users. So i need to role map it using my OU group. Refer to jpg attached.

here is my setting for group membership:

Base DN: dc=example,dc=com

Filter: ou=<GROUPNAME>

Member Attribute: ou

Query Attribute: ou

Nested Group Level: 2

when i click "server catalog"

I'm able to search for my OU groups DN

ou=people, dc=example,dc=com	dynamic
ou=ITD+description=IT Departmental,dc=example,dc=com	dynamic
ou=AISB,dc=example,dc=com	dynamic
ou=SOUTH,dc=example,dc=com	dynamic
ou=newwing,dc=example,dc=com	dynamic

I'm able to see groups in my role map ->group membership. I'm able to add do a role-map by the OU group.

Continue ...

yuliang_ · ‎03-11-2010

However i'm not able to login

below is the policy trace

Info PTR23344 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Authentication successful to auth server "test"
Info PTR23371 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Getting directory information from auth server "test"
Info PTR23381 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Group "people" not found in server catalog
Info PTR23345 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Retrieved directory information from auth server "test"
Info PTR23344 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Authentication successful to auth server "[Unknown Server]"
Info PTR10209 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Realm test running 1 mapping rules for user test
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable user = "test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable password = "****"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userName = "test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable protocol =
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable realm = "test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable loginTime = Thu Mar 11 16:13:47 2010
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userAttr.uid = "test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userAttr.userpassword = "{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M="
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable groups =
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable loginURL = "*/"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable sourceIp = 10.1.2.127
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable loginHost = "10.1.1.147"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userAgent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable networkIF = "internal"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userDN.cn = "Test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userDN.ou = "people"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userDN.dc = "example"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userDN.dc = "com"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable userDNText = "cn=Test,ou=people,dc=example,dc=com"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "****"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "Test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "people"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "example"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "com"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "cn=Test,ou=people,dc=example,dc=com"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "test"
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] = "{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M="
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable [email protected] =
Info PTR10305 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Variable cacheCleanerStatus = false
Info PTR10218 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - No match on rule 'groups = 'people''
Info PTR10207 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Realm test did not map user test to any roles
Info PTR23334 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Sign-in rejected. Reason: NoRoles
Info PTR10104 2010/03/11 16:13:58 - [10.1.2.127] - Root::admin(Admin Users)[.Administrators] - test:test - Policy Tracing turned off

appreciate any kind of help as i'm not fammiliar with LDAP and it's integration with juniper SSL VPN

yuliang_ · ‎03-11-2010

SonicBoom_ · ‎03-11-2010

this is a fun one to troubleshoot but easy

Info PTR10207 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Realm test did not map user test to any roles
Info PTR23334 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Sign-in rejected. Reason: NoRoles

every user that signs in needs to have a role assigned, just assign a role to map to usergroup for test

yuliang_ · ‎03-11-2010

thanks for the reply

i believe i have already assigned it.

role map ->group membership , the group name would be those attached on the print screen earlier. AISB,people,etc

SonicBoom_ · ‎03-11-2010

you might have the wrong group assigned according to your log

Info PTR10218 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - No match on rule 'groups = 'people''
Info PTR10207 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Realm test did not map user test to any roles
Info PTR23334 2010/03/11 16:13:47 - [10.1.2.127] - Root::test(test)[] - Sign-in rejected. Reason: NoRoles

muttbarker_ · ‎03-11-2010

I am not an LDAP expert but I am wondering about a couple of your LDAP server settings. If you send me a private message with your email I could send you some shots of my setup.

yuliang_ · ‎03-11-2010

k guys. it's 2am here i'm troubleshooting some other issues. i shall print screen tom morning

yuliang_ · ‎03-11-2010

hi,

this is what i set. the group name was lookup from my ldap

yuliang_ · ‎03-11-2010

i have a feeling my group membership is not correctly configured.

LDAP role mapping using group attribute

LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute

Re: LDAP role mapping using group attribute